Tested Versions

Product URLs

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-787: Out-of-bounds Write

Details

libxls is a C library supported on Windows, Mac and Linux which can read Microsoft Excel File Format (XLS) files. The library is used by the readxl package
that can be installed in the R programming language.
An out-of-bounds write appears in the xls_mergedCells function. Let's take a look at the vulnerable code:

Important variables and especially their content are: buf and bof which have been read in raw form from a file.
We see at line 612 that the count value, which is exactly bof.size, controls a loop.
Next further parts of the buf buffer are pointed to by the span variable at line 614. Because the span structure is based on data directly read from file, an attacker
not only fully controls the amount of executions of the for loops at lines 616 and 617 but also the offsets during writes to the pWs->rows structure.
Using our PoC we can observe the following values during a crash: